PCI DSS merchant compliance is built on four separate levels all dependant on the business you run and your transaction volume.
Applies to merchants processing more than six million real-world credit or debit card transactions annually. Conducted by a PCI QSA (Qualified Security Assessor), they must undergo an internal audit once a year. In addition, once a quarter they must submit a quarterly network security scan by an Approved Scanning Vendor (ASV).
Applies to merchants processing between one and six million real-world credit or debit card transactions annually. They’re required to complete an assessment once a year using a PCI DSS Self-Assessment Questionnaire (SAQ). Additionally, a quarterly network scan may be required. Use of a PCI QSA is optional.
Applies to merchants processing between 20,000 and one million e-commerce transactions annually. They must complete a yearly assessment using the relevant Annual Self-Assessment Questionnaire. Quarterly scanning may also be required. Use of a PCI QSA is optional.
Applies to merchants processing fewer than 20,000 e-commerce transactions annually, or those that process up to one million real-world transactions. A yearly assessment using the relevant SAQ must be completed, and a quarterly network scan may be required. Use of a PCI QSA is optional.
PCI DSS compliance is enforced by individual payment brands or acquiring banks. Some businesses rely on an internal auditor to enforce their PCI compliance. However, Cardstream are validated to Level 1 Service Provider status and work closely with an external QSA Company to ensure we are meeting PCI DSS and PCI 3DS compliance.
1. Application code reviews
2. Assessment of app security
3. Integrated Fraud Protection
4. Velocity Checks
5. 3DSV2
6. Hosted Solutions
7. Tokenisation
If you qualify for certain self-assessment Questionnaires (SAQs) or you electronically store cardholder data post authorisation, then a quarterly scan by a PCI SSC Approved Scanning Vendor (ASV) is required to maintain compliance. If you qualify for any of the following SAQs under version 3.2.1 of the PCI DSS, then you are required to have a passing ASV scan:
• SAQ A-EP
• SAQ B-IP
• SAQ C-VT
• SAQ D-Merchant
• SAQ D-Service Provider
Yes. All businesses that store, process or transmit payment cardholder data must be PCI DSS compliant. If you accept card payments over the phone (MOTO transactions), this still applies. As a PCI DSS compliant business, Cardstream will always ensure the highest possible cardholder data security standards when you carry out MOTO transactions.
Cardstream has a range of tools to help merchants maintain their PCI DSS compliance. For example, our Hosted Form solution which would require the merchant to fill out an SAQ-A, will ensure that the merchant meets PCI DSS compliance, with the minimum requirements set, in order to process payments securely. If the merchant, however, chooses to utilise a direct integration where the cardholder data would be collected in the merchant’s own business environment, the merchant should already be operating a PCI DSS compliant environment. If they are not, this may lead to additional costs and administrative overhead to maintain their own PCI DSS secure environment.
We also offer other PCI DSS compliant tools such as, tokenisation which involves the collecting, storing and processing of arbitrary data linked to cardholder data and finally, the secure virtual terminal which allows merchants to securely process a MOTO transaction in a PCI DSS secure way.
Please click here to read our blog on PCI DSS compliance.
For more information about PCI DSS, contact solutions@cardstream.com